Last week, web hosting and cloud computing provider Linode published a blog post admitting that some of its systems had been hacked. At the time, they claimed that only one of their customers had been impacted, but as a precaution, they had reset all user passwords.
However, on Monday, a hacker using the online moniker “ryan,” an alleged member of the Hack The Planet (HTP) group, revealed that they had gained access to Linode’s databases, including customer passwords and credit card information.
The hacker claims to have struck a deal with Linode staff not to release the information they’ve stolen. However, he says the company hasn’t “hold on to their part of the deal,” so the data will be released soon.
We’ve reached out to Linode representatives to see if they can comment on the hacker’s allegations. They’ve pointed us to a blog post that they published moments ago.
In the post, the company admits that the HTP group has in fact managed to breach their systems by exploiting a recently patched vulnerability in Adobe ColdFusion.
“As a result of the vulnerability, this group gained access to a web server, parts of our source code, and ultimately, our database. We have been working around the clock since discovering this vulnerability,” Linode stated.
“Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure.”
As far as credit card information is concerned, the hosting firm says that all numbers are stored in an encrypted format, using public and private encryption keys.
In an IRC chat, the hacker has admitted that the credit card data is encrypted, but he says that the public and private keys are stored on the webserver, so they're not really secure.
On the other hand, Linode states that it has no evidence that decrypted credit cards have been obtained.
“The private key is itself encrypted with passphrase encryption and the passphrase is not stored electronically. Along with the encrypted credit card, the last four digits are stored in clear text to assist in lookups and for display on things like your Account tab and payment receipt emails.”
The salted and hashed cryptographical representations of user passwords are stored in the company’s databases, but Linode representatives say they’re useless since all passwords were reset on Friday.